How to Spot a Phishing Email: The Complete Guide for 2026

Phishing emails no longer arrive with conspicuous spelling errors and implausible premises. Messages are now composed with precise language, address recipients by name, and contain sufficient contextual detail to prompt action. Generative AI has fundamentally altered how to spot a phishing email.

According to the APWG Phishing Activity Trends Report Q4 2025, over 850,000 phishing incidents were observed in Q4 2025 alone, with the full-year total reaching 3.8 million.

The IBM Cost of a Data Breach Report 2025 found that generative AI reduced the time required to craft a convincing phishing message from 16 hours to 5 minutes.

AI has rendered traditional detection strategies insufficient, including poor grammar, generic salutations, and suspicious sender addresses. This guide provides a structured framework for identifying phishing emails across all current attack types, from foundational warning signs to AI-era indicators.

Check the sender first

• The sender domain matches the organization's official website exactly, with no additional words, transposed letters, or numeral substitutions (e.g., paypa1.com, micros0ft-teams.net)
• The display name and the email address are consistent; clicking or tapping the sender name reveals the underlying address
• The message passes authentication with no "via," "on behalf of," or security warnings visible in the header

Read the message critically

• The message does not apply pressure through phrases such as "your account will be suspended" or "respond within 24 hours"
• The greeting references the recipient's actual name; generic salutations such as "Dear Customer" remain a reliable indicator of fraud, though targeted AI-generated campaigns may incorporate accurate names
• Grammar, tone, and formatting are consistent throughout; overly formal or stilted phrasing may indicate AI-generated content
• The request is contextually coherent; unexpected invoices, wire transfers, or vendor references to unfamiliar projects warrant independent verification

Inspect every link and attachment

• Hovering over any link reveals a destination URL matching the sender's legitimate domain. On mobile, a long press displays the URL before navigation
• No unsolicited attachments are present, particularly files with extensions such as .exe, .js, .bat, .vbs, .docm, .xlsm, or unexpected PDFs
• QR codes embedded in the message body or attached documents do not direct recipients to unrecognizable destinations

Verify any sensitive request independently

• The message does not request passwords, payment details, gift cards, or account credentials; no legitimate organization solicits this information via email
• Any request to change payment details, payroll accounts, or access credentials has been confirmed through a separate, trusted communication channel
• Unexpected MFA approval prompts that arrived alongside the email

Watch for advanced tactics

• The email does not redirect to an external official channel but instead contains a single, direct number. This might be a sign of callback phishing
• Links can route through legitimate platforms (DocuSign, SharePoint, Dropbox, Google Sites) to obscure a malicious final destination
• The organization's standard approval process was followed. Email-only wire transfer requests with no phone or Teams confirmation are a significant warning sign

Key Takeaway: In the AI era, no single signal is definitive. Detection requires evaluating multiple indicators simultaneously, as modern phishing emails are engineered to eliminate the obvious red flags that older guidance relied upon.

What Is a Phishing Email? Definition and 2026 Context

A phishing email is a fraudulent message crafted to deceive the recipient into disclosing sensitive information, transferring funds, or executing an action that grants unauthorized access to systems or accounts.

Phishing attacks rely on social engineering principles, manipulating human psychology rather than directly exploiting technical vulnerabilities. The sender typically impersonates a trusted entity, such as a financial institution, a software platform, or an internal colleague, to establish false legitimacy.

Phishing emails are the most prevalent delivery mechanism for credential harvesting, malware distribution, and business email compromise. As generative AI lowers the cost and time required to produce convincing messages, the distinction between fraudulent and legitimate correspondence has narrowed significantly.

A phishing email typically exhibits one or more of the following characteristics:

• Impersonates a trusted sender, such as a bank, a SaaS provider, or an internal executive, to establish false credibility
• Creates urgency or fear to pressure the recipient into acting without verification, such as warnings of account suspension or unauthorized access
• Contains a malicious link directing the recipient to a spoofed website designed to capture login credentials or financial data
• Includes an attachment embedded with malware, a macro-enabled document, or a form to steal credentials (login + passwords)
• Requests sensitive information directly, including passwords, Social Security numbers, or payment details
• Uses a spoofed or lookalike sender address that mimics a legitimate domain through typosquatting or homograph characters
• Employs generic or contextually mismatched greetings inconsistent with how the impersonated organization typically communicates
• Incorporates a QR code (quishing) or shortened URL to obscure the true destination and bypass email security gateways
• Applies visual elements, logos, and formatting copied from legitimate organizations to replicate the appearance of official correspondence
• Exhibits subtle inconsistencies in tone, domain structure, or branding that diverge from verified communications

Why Spotting Phishing Emails Is Critical in 2026

Phishing is the most frequently reported cybercrime in the United States by complaint volume and a primary entry point for some of the most damaging breaches on record. Data from 2025 and 2026 establish both the scale of the threat and its direct financial consequences.

Why Are Employees Still the Most Targeted Phishing Attack Surface?

The Verizon Data Breach Investigations Report 2026 found the human element present in 62% of breaches, with phishing accounting for 16% of incidents as an initial access vector. Specifically in the context of social engineering, phishing is the most common action (at 66%), with email the most common vector in social engineering breaches (at 98%).

Phishing emails exploit cognitive biases related to urgency, authority, and familiarity rather than technical vulnerabilities, meaning that even organizations with mature security infrastructure remain exposed when employees cannot identify phishing email red flags at the point of delivery.

FBI IC3 2025: Phishing Complaint Volume and Financial Losses

According to the FBI IC3 2025 Annual Report, phishing and spoofing topped all reported crime categories by complaint volume, with over 191,000 complaints filed. Reported losses directly attributed to phishing complaints escalated from $70 million in 2024 to $215.8 million in 2025, a 208% year-over-year increase. This figure reflects only losses categorized specifically as phishing and spoofing.

Business email compromise, which frequently relies on phishing as the initial delivery mechanism, is tracked separately by the FBI and accounted for over $3 billion in reported losses in 2025. The combined exposure across phishing-enabled crime categories is substantially higher than any single line item suggests.

Regulatory, Reputational, and Operational Risk from a Successful Phishing Attack

For enterprises, a successful phishing attack frequently serves as the entry point for credential harvesting, ransomware deployment, and lateral movement across corporate networks. Reputational, regulatory, and operational costs compound the direct financial damage. Organizations in regulated industries face additional liability under data protection frameworks when a breach traces back to missing controls like DMARC, DKIM, and SPF authentication.

Who Gets Targeted Most: Executives, Finance Teams, and SMBs

Senior executives are the primary targets of whaling and CEO fraud campaigns. Employees in finance, human resources, and IT operations face disproportionate targeting due to their access to payment systems, personnel data, and administrative credentials. Small and medium-sized businesses face compounded risk, as they are frequent targets and typically have fewer dedicated security resources to detect and respond to phishing attempts.

How Phishing Emails Have Evolved Over Time

Understanding why phishing emails are increasingly difficult to detect requires tracing how attack methods have developed from rudimentary deception to AI-assisted, industrially scaled operations.

• Early-stage phishing: The first phishing campaigns were broadly distributed, low-effort messages targeting early internet users. Indicators were typically obvious: generic greetings, inconsistent formatting, implausible premises, and domain names with no relation to the impersonated entity
• Mass email campaigns: As email adoption expanded, attackers began impersonating financial institutions and government agencies at scale. Volume was the primary strategy, with millions of identical messages deployed in the expectation that a small percentage of recipients would respond. Spelling errors and broken HTML remained common artifacts
• Targeted spear phishing: Cybercriminals began incorporating personally identifiable information gathered from data breaches and public social media profiles to construct contextually plausible messages. Spear phishing reduced obvious red flags and significantly increased the rate of successful credential harvesting
• Brand impersonation and visual cloning (late 2010s): Attackers began replicating the exact visual design of trusted platforms, including Microsoft, DocuSign, and major banks. Spoofed login pages became indistinguishable from legitimate ones at a glance, with lookalike domains and homograph characters deployed to pass cursory sender verification
• MFA bypass and AiTM techniques (early 2020s): Adversary-in-the-middle (AiTM) phishing kits emerged to intercept session tokens that render multi-factor authentication insufficient as a standalone control. Phishing no longer ended at credential theft; it extended to active session hijacking
• Generative AI and deepfake integration (2024 to present): AI-generated messages now routinely pass the linguistic checks that previously helped recipients identify fraudulent correspondence. AI Deepfake voice and video have further extended social engineering into vishing and impersonation scenarios

What Is Phishing-as-a-Service?

The final and most consequential shift has been the commercialization of phishing infrastructure. Phishing-as-a-service (PhaaS) platforms now package phishing kits, hosting, MFA bypass mechanisms, and target lists into subscription-based services accessible to cybercriminals with minimal technical expertise.

The scale this model enables is illustrated by the Tycoon 2FA case. By mid-2025, Tycoon 2FA accounted for approximately 62% of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month, placing it among the largest phishing operations ever observed.

In March 2026, a coalition led by Europol and Microsoft seized 330 domains and dismantled the platform, but the PhaaS model it exemplified remains active, with successor platforms already circulating in criminal marketplaces.

For those attempting to identify red flags in phishing emails, the industrialization of attack infrastructure means that volume, polish, and technical sophistication can no longer be treated as indicators of legitimacy.

How AI Has Enhanced Multi-Channel Phishing Attacks

The integration of generative AI into phishing operations has not simply improved the quality of individual emails; it has restructured how attacks are architected and delivered. Modern phishing campaigns frequently operate across multiple communication channels in coordinated sequences, with each stage reinforcing the credibility established by the previous one.

How AI Generates Personalized Spear Phishing Emails at Scale

AI-generated phishing emails no longer carry the grammatical inconsistencies and structural anomalies that once served as reliable detection signals. Generative AI tools produce messages that replicate the register, formatting conventions, and stylistic patterns of legitimate corporate correspondence with high fidelity.

More significantly, cybercriminals are augmenting these messages with context harvested from professional networks such as LinkedIn, incorporating accurate job titles, reporting relationships, recent organizational announcements, and project references to produce communications that appear internally credible.

Email, Voice, Video, and SMS: How AI Phishing Attacks Chain Multiple Channels

AI-assisted campaigns increasingly operate across email, voice, and SMS in structured sequences rather than relying on a single delivery vector.

An illustrative common pattern begins with a phishing email impersonating an internal executive or trusted vendor, followed by a video or voice call using AI-synthesized audio to reinforce the request, and concludes with an SMS containing the malicious link. Each channel lends credibility to the others, compressing the recipient's decision window and reducing the likelihood of independent verification.

According to the APWG Phishing Activity Trends Report Q4 2025, SMS-based fraud detections grew by 30 to 40% quarter-over-quarter.

Voice phishing (vishing) has followed a parallel curve, with detection rates surging 442% between H1 and H2 2024 according to the CrowdStrike 2025 Global Threat Report.

Refer to the AI Deepfake Webinar to understand how deepfake technology is being used in phishing and social engineering attacks and what security teams can do to counter it.

How Generative AI Has Changed the Classic Phishing Detection Signals

For more than two decades, security awareness training emphasized a consistent set of detection signals: grammatical errors, generic salutations, implausible urgency, and mismatched sender domains. Generative AI has rendered each of these substantially less reliable by eliminating the underlying production constraints that gave rise to them.

Large language models produce contextually coherent, grammatically precise prose in any language and register on demand, replicating the internal communication style, terminology, and sender context of legitimate organizations without specialized writing skills.

A December 2024 study by researchers at Harvard Kennedy School, published on arXiv (2412.00586), found that fully AI-automated spear phishing emails achieved a 54% click-through rate on human subjects, equivalent to emails crafted by human experts. Automated AI attacks now match skilled human operators at a fraction of the time and cost.

Dark-web platforms, including the now shutdown WormGPT, offer large language models stripped of safety constraints and optimized for phishing campaigns, placing AI-assisted attacks within reach of any cybercriminal with a modest budget.

The degradation of heuristic-based detection shifts the burden toward behavioral and structural analysis: verifying sender authentication records, inspecting underlying URLs, and scrutinizing unusual requests regardless of apparent message quality.

What Does a Phishing Email Look Like? The Anatomy of a Phishing Email

Refer to the image below for a quick reference guide on how to spot a phishing email:

10 Examples of Phishing Subject Lines

Phishing email subject lines are frequently designed to provoke urgency, fear, or curiosity, psychological triggers that reduce critical thinking and increase the likelihood of user interaction. The following examples represent documented phishing subject lines drawn from reported campaigns, each employing a distinct manipulation tactic.

1. "Your Account Has Been Compromised. Immediate Action Required"

This subject line exploits fear of financial or data loss. The combination of an alarming claim and a directive to act immediately pressures recipients into clicking without verifying the sender's legitimacy. It is commonly used in campaigns impersonating banks and payment platforms.

2. "Unusual Sign-In Activity Detected on Your Account"

Mimicking legitimate security notifications from providers such as Google or Microsoft, this subject line creates anxiety around unauthorized access. Threat actors use it to direct victims to credential-harvesting login pages that replicate official interfaces.

3. "Your Package Could Not Be Delivered. Schedule Redelivery"

Delivery-themed phishing surged alongside the growth of e-commerce. This subject line impersonates logistics providers such as FedEx, UPS, or national postal services. Recipients are directed to fraudulent tracking pages designed to capture personal or payment information.

4. "Action Required: Verify Your Payment Information"

Financial subject lines rank among the most effective phishing lures. This phrasing implies an existing account relationship and suggests that failure to act will result in service interruption. It is frequently deployed in campaigns targeting users of streaming platforms, e-commerce accounts, and subscription services.

5. "You Have a Pending Tax Refund. Claim Now"

Tax authority impersonation is a well-documented phishing vector, particularly during filing seasons. Cybercriminals impersonate agencies such as the IRS or HMRC, offering refunds to lure recipients into submitting personal and financial data via fraudulent government-style forms.

6. "Your IT Department Requires You to Reset Your Password Immediately"

Internal impersonation attacks, also known as IT helpdesk phishing, target corporate environments. By mimicking internal communications, this subject line bypasses the skepticism recipients might apply to external senders. It is a common precursor to business email compromise and network infiltration.

7. "Shared a File With You via Google Drive"

Collaboration platform lures have become increasingly prevalent as cloud-based workflows expand. This subject line replicates standard file-sharing notifications, directing recipients to malicious documents or credential-capture pages hosted on platforms that appear trustworthy.

8. "Congratulations! You Have Been Selected for an Exclusive Reward"

Prize and reward lures exploit reciprocity and greed. While less sophisticated than impersonation-based attacks, these subject lines remain effective in high-volume phishing campaigns targeting general consumer populations. They typically redirect to survey pages or fake prize portals designed to harvest data.

9. "Invoice #[XXXXX] Attached: Payment Due"

Business-targeted phishing frequently employs invoice fraud lures to reach finance departments and accounts payable personnel. The inclusion of a fake invoice number adds perceived legitimacy. Attachments in these campaigns typically contain malware or links to credential-stealing portals.

10. "Your Subscription Will Expire Today. Renew to Avoid Interruption"

Subscription expiration lures create artificial time pressure, a tactic known as manufactured urgency. This subject line is used in campaigns impersonating antivirus providers, streaming services, and SaaS platforms. The goal is typically to capture payment card data through fraudulent renewal pages.

16 Phishing Email Red Flags and Warning Signs: AI-Era Detection Checklist

The detection indicators below are drawn from multiple sources, including a cross-agency framework that reflects current threat conditions. In October 2023, CISA, the NSA, the FBI, and MS-ISAC jointly published Phishing Guidance: Stopping the Attack Cycle at Phase One

The document provides detailed insight into malicious techniques, as well as technical mitigations and best practices to help prevent successful phishing attempts.

The FTC's How to Recognize and Avoid Phishing Scams guide and CISA's Recognize and Report Phishing resource also provide complementary consumer-facing guidance aligned with the indicators described here.

Sign 1: Fake Sender Domain: How to Verify a Phishing Email's True Origin

The sender address is the most important element to verify in any suspicious email, and it is consistently the most manipulated. Cybercriminals exploit two main techniques to construct sender domains that pass cursory inspection: typosquatting and homoglyph attacks.

What Is Typosquatting in Phishing Emails?

Typosquatting involves registering a domain that closely resembles a legitimate one through deliberate misspelling, character transposition, or structural modification, such as appending a word (microsoft-support.com), substituting a number for a letter (paypa1.com), or reversing adjacent characters (amazom.com).

What Are Homoglyph Attacks in Phishing Emails?

Homoglyph attacks operate at a more technical level, substituting one or more characters in a legitimate domain with Unicode lookalikes from another script, producing a domain that renders identically to the genuine one in most fonts and email clients.

The following constructions illustrate techniques actively recorded in phishing campaigns:

• paypa1.com: substitutes the letter "l" with the numeral "1," a character pair that renders identically in many sans-serif fonts
• amazom.com: transposes the final two characters of "amazon," exploiting the brain's tendency to recognize familiar word shapes rather than read individual characters
• micros0ft-teams.net: combines a letter-to-number substitution with a hyphenated structure to impersonate a Microsoft product portal
• rnicrosoft.com: a documented late-2025 campaign in which attackers replaced "m" with "rn," a combination that blurs into a single character in common digital fonts, particularly on mobile screens where address bars truncate displayed URLs

How Attackers Fake the Sender Display Name, and How to Check the Address

Email clients display the sender's friendly name by default, suppressing the underlying email address unless the recipient actively inspects the sender field. This display name is entirely attacker-controlled and carries no authentication weight. A message can display "PayPal Support" while originating from a completely unrelated domain.

Key takeaway: Verify the envelope address, the domain component following the "@" symbol, while reading it from right to left. For instance, example@microsoft-teams.com is not a legitimate email.

Sign 2: Urgent Language and Pressure Tactics: Phishing Email Warning Signs with Examples

Urgency is one of the most well-documented psychological levers in social engineering. When a recipient perceives time pressure, the cognitive resources allocated to critical evaluation are reduced, increasing the likelihood of compliance before verification. Phishing campaigns have exploited this principle consistently because it targets human decision-making rather than a technical vulnerability.

The following comparison illustrates phishing language patterns against the communication standards of legitimate organizations:

The distinguishing pattern is not urgency alone, but the combination of an extreme consequence, an artificially compressed timeline, and a single prescribed action with no alternative verification path offered.

How AI Phishing Emails Disguise Urgency with a Professional Tone

AI-generated phishing emails increasingly adopt a measured, professional tone that avoids explicit pressure language while achieving the same behavioral objective through framing. Security awareness training has conditioned many recipients to treat phrases such as "act immediately" as phishing signals, and cybercriminals have adapted accordingly.

How Phishing Email Requests Aim to Bypass the Normal Approval Process

The more dependable indicator in professional environments is a workflow anomaly: a request that deviates from established organizational processes regardless of tone. The most consequential example is a wire transfer or payment redirection request submitted exclusively via email, with no corresponding phone call, Teams message, or in-person confirmation.

Business email compromise campaigns follow this pattern precisely, with messages that are grammatically impeccable and contextually plausible but structurally bypass the multi-channel confirmation, approval hierarchies, and documented authorization steps that legitimate financial processes require.

Key takeaway: Any financial request or account update that arrives through a single channel and discourages standard confirmation warrants independent verification before any action is taken.

Sign 3: Generic Greetings and Mismatched Salutations as Phishing Email Indicators

For most of the history of phishing detection, the generic greeting was among the most reliable surface-level indicators of a fraudulent message.

Legitimate organizations that maintain customer or employee records use the recipient's name in transactional and account-related correspondence because that information is captured at registration and populated automatically into outbound communications.

A message purportedly from a bank, a SaaS platform, or an internal HR system that opens with a generic salutation signals that the sender does not have access to the recipient's actual account data, which is precisely what a legitimate sender would have.

Generic greetings that remain consistent phishing indicators include:

• "Dear Customer"
• "Dear Valued Member"
• "Dear Account Holder"
• "Hello User"
• "To Whom It May Concern"
• "Dear [First Name]", where the placeholder variable was not populated, is a technical error that occasionally appears in poorly configured phishing kits

Why a Personalized Greeting Does Not Mean an Email Is Legitimate

The reliability of the generic greeting as a detection signal has been substantially eroded by spear phishing campaigns that incorporate accurate recipient information, especially in enterprise settings.

Cybercriminals conducting targeted attacks harvest names, job titles, department affiliations, reporting relationships, and organizational context from professional networks such as LinkedIn, data breach repositories, and publicly accessible corporate directories.

The information is used to construct messages that open with accurate personal details, reference colleagues or projects, and reflect genuine organizational context.

The critical implication is that personalization is not proof of legitimacy. A message that addresses the recipient by their correct full name, references their employer, their role, and a plausible current project is not thereby verified as genuine.

Key takeaway: Personalization establishes that the sender had access to information about the recipient; it does not establish that the sender is who they claim to be.

Sign 4: Unexpected or Suspicious Links

Malicious links are the operational core of most phishing campaigns. Whether the objective is credential harvesting, malware delivery, or session token interception, the link transfers the recipient from the email environment to attacker-controlled infrastructure. Identifying a suspicious link before clicking is one of the highest-value detection skills available.

How to Inspect a Link Before Clicking: Phishing Link Verification

On desktop email clients and webmail interfaces, hovering over a hyperlinked word or button without clicking causes the destination URL to appear in the browser's status bar at the bottom-left of the screen. The inspection process should follow this sequence:

1. Hover over the link and allow the destination URL to appear in the status bar
2. Read the domain carefully, specifically the segment immediately to the left of the top-level domain (.com, .net, .org), as this is the registered domain and the only portion the attacker does not control
3. Verify the domain matches the sender's legitimate domain exactly, accounting for typosquatting and homoglyph substitutions described in Sign 1
4. If the destination does not match the claimed sender, treat the link as malicious regardless of what the display text states

On mobile devices, a long press on a hyperlink in most iOS and Android email clients displays a preview of the destination URL. This should be read carefully before proceeding.

Free Phishing Link Checker Tools: VirusTotal, URLScan, and More

For ambiguous links, the following free tools provide verification without visiting the destination:

• Virus total
• URLScan.io
• Hybrid Analysis
• Google Safe Browsing
• PhishTank

A clean result does not guarantee safety, as newly registered phishing domains frequently carry no detection history in their first hours of deployment. A flagged result, however, is definitive confirmation that the link should be avoided.

Does HTTPS Mean a Site Is Safe? Why Padlock Icons Do Not Prevent Phishing

The padlock icon in a browser's address bar indicates that the connection between the browser and the destination server is encrypted. It makes no assertion about the legitimacy or intent of the website operator.

A cybercriminal can register a domain, obtain a free TLS certificate, and serve a convincing phishing page over HTTPS within minutes. Phishing pages hosted under HTTPS are the standard rather than the exception, and the padlock should not be interpreted as a safety signal.

URL Shorteners in Phishing Emails: How to Check Before Clicking

URL shortening services compress a destination URL into a redirect link that reveals nothing about the final destination before a click. When a shortened URL appears in an unsolicited email, it should be expanded first using a free service such as checkshorturl.com or unshorten.it, which return the full destination without initiating the redirect.

How Phishing Links Hide Behind Google, SharePoint, and DocuSign URLs

A more sophisticated technique involves embedding a malicious destination within a redirect hosted on a legitimate domain. The attacker constructs a URL on a trusted platform, such as a Google redirect, a Microsoft Open redirect, or an OAuth flow, that chains through a legitimate domain before forwarding the recipient to a malicious page.

The URL visible in the email may display google.com or microsoft.com, passing both automated scanning and manual inspection. A representative example of this structure is: "example.com/redir.php?url=evilwebsite.com"

Key takeaway: The presence of a recognizable domain in a link is not sufficient verification that the final destination is safe. The full URL, including any path parameters or redirect chains, warrants inspection before following the link.

Sign 5: Unsolicited or Unexpected Attachments

Email attachments are among the primary malware delivery mechanisms in phishing campaigns. Established organizations have no operational reason to deliver sensitive account information, invoices, or security notifications as attachments: banks direct customers to secure portals, SaaS platforms link to in-app dashboards, and government agencies publish documents through official web properties.

Portal-based delivery provides access log-in, authentication verification, and audit trails that attachment delivery does not. When a message delivers its core content as an attachment rather than directing the recipient to an authenticated web destination, that structural choice is itself a phishing indicator.

Dangerous File Types in Phishing Emails That Should Never Be Opened

The following file types can carry executable or macro-enabled characteristics that make them primary malware delivery vehicles when received without prior arrangement:

• .exe: a Windows executable; virtually no legitimate business communication requires one to be delivered by email
• .js: executes system-level commands through the Windows Script Host when opened outside a browser
• .bat and .cmd: Windows batch scripts that execute system commands upon opening
• .vbs: Visual Basic Script files, a common delivery mechanism for credential stealers and ransomware droppers
• .docm and .xlsm: macro-enabled Office files that execute embedded code upon opening, widely used in ransomware campaigns
• .ps1: PowerShell scripts with deep access to Windows system functions, increasingly common in enterprise-targeted campaigns
• .iso and .img: disk image files adopted by threat actors after Microsoft's 2022 decision to block macros in downloaded Office files, as these containers bypass Mark-of-the-Web security warnings
• PDF: carries a strong association with legitimate business correspondence, which attackers exploit through embedded malicious links, JavaScript execution, and, in some cases, zero-click exploits triggered by preview pane rendering

Spotting Phishing Attachments in B2B Email: Vendor Invoice Fraud and Other Threats

The most difficult attachment-based scenario to detect involves messages where an attachment is structurally expected. In business-to-business environments, invoices, purchase orders, remittance advice, and contracts are routinely exchanged as email attachments.

Cybercriminals conducting vendor impersonation campaigns exploit this expectation by introducing malicious documents into active email threads, with sender addresses and surrounding context that align with genuine business activity. This is known as thread hijacking.

Detection in these scenarios depends on process adherence rather than file type recognition. Invoices referencing new banking details, payment documents arriving outside the normal billing cycle, and purchase orders from unfamiliar contacts all warrant independent verification before any document is opened or payment processed.

Key takeaway: Unexpected attachments should be verified by contacting the sender directly using details from an established internal record, never from the email in question.

Sign 6: Why Grammar Is No Longer a Reliable Phishing Email Warning Sign in 2026

Grammar quality has historically been a reliable phishing detection signal. Cybercriminals operating across language barriers, or using rudimentary automation to generate content at volume, produced messages with characteristic errors that careful recipients could identify:

• Misspelled words
• Incorrect verb conjugations
• Misused prepositions
• Syntactically disordered sentences
• Inconsistent punctuation

These artifacts remain valid indicators for lower-sophistication campaigns. Bulk, undifferentiated phishing operations targeting large recipient pools may not incorporate AI content generation at the message level, and recipients who encounter obvious grammatical errors should still treat them as a phishing email warning sign.

How to Spot AI-Generated Phishing Emails When the Grammar Is Flawless

The more consequential shift is in the other direction. Generative AI produces grammatically flawless prose as a default output characteristic. A cybercriminal using current language model tools generates content that passes grammar checks, maintains consistent tense, uses field-appropriate vocabulary, and replicates the structural conventions of professional correspondence without any specialized writing skills.

Grammatical quality no longer differentiates between legitimate correspondence and AI-generated phishing content.

AI Phishing Email Red Flags: Tone, Register, and Phrasing Anomalies to Watch For

As error rates decline in sophisticated phishing content, a different set of linguistic indicators has emerged. None is individually definitive, but in combination, they can suggest inauthentic content:

• Overly formal language for the context: AI models default to formal register unless specifically prompted otherwise, producing messages that read like legal documents when a conversational tone would be expected
• Stilted phrasing: Grammatically correct constructions that do not reflect natural idiomatic usage, with unnecessarily complex sentence structures where direct phrasing would be standard
• Inconsistent tone within a single message: A shift from warm, personalized language to clinical, passive-voice phrasing mid-paragraph is among the more reliable indicators of AI-assisted composition
• Context-free references: Apparently specific details, such as a reference to a prior interaction the recipient has no record of, that cannot be independently verified

Key takeaway: Grammar and linguistic style analysis is an increasingly unreliable detection method in 2026. These signals are supplementary indicators to be considered alongside structural and technical verification, not primary detection mechanisms.

Sign 7: Requests for Sensitive Information

No legitimate organization requests passwords, Social Security numbers, credit card numbers, or gift card codes via email. This principle applies without exception across financial institutions, government agencies, healthcare providers, technology platforms, and internal corporate functions.

These categories of information are either verified through authenticated portal sessions, collected through secure payment processing systems, or handled through documented in-person or telephone processes that require identity verification.

When an email requests any of the following, it should be treated as a phishing attempt regardless of how legitimate the sender appears:

• Account passwords or security PINs
• Social security or national identification numbers
• Full credit or debit card numbers, CVV codes, or expiration dates
• Gift card codes or wire transfer confirmations to unfamiliar accounts
• One-time passcodes or MFA verification codes

Business Email Compromise: How Phishing Triggers Payment and Payroll Redirection

Business email compromise campaigns frequently target financial processes through a structurally different request: rather than asking for sensitive data directly, the attacker requests a change to existing payment records.

Common patterns include a vendor contact requesting that future invoices be paid to a new bank account, an HR communication instructing payroll to redirect an employee's direct deposit to a different account, or a finance request to update supplier payment details ahead of a scheduled transaction.

These requests are designed to appear as routine administrative updates rather than sensitive data disclosures, which is precisely what makes them effective.

Key takeaway: Any email requesting sensitive information or changes to financial records should be verified through an independent contact method before any action is taken.

Sign 8: Fake Login Pages and Credential Harvesting Sites

Phishing emails frequently direct recipients to credential harvesting pages that replicate the visual design of legitimate login portals with high fidelity. Cloned Microsoft 365, Google Workspace, and banking login pages are among the most common, designed to capture usernames and passwords as soon as they are entered.

The destination page may display a valid TLS certificate, correct branding, and a plausible URL constructed through the typosquatting or trusted-infrastructure techniques described in Signs 1 and 15. Credentials submitted on these pages are transmitted directly to the attacker.

The scale of the threat these pages represent is reflected in Microsoft's operational data. Microsoft screens 5 billion emails daily to protect users from malware and phishing, and analyzes an average of 38 million identity risk detections.

According to the Microsoft Digital Defense Report 2025, identity-based attacks surged by 32% in the first half of 2025, and 97% of those attacks were password spray or brute force attacks.

Key takeaway: Credential theft at scale remains a primary objective of phishing infrastructure, and fake login pages are the primary collection mechanism.

Sign 9: Email Header Authentication: How to Check SPF, DKIM, and DMARC (Even for Non-Experts)

Email headers contain a hidden authentication record that reveals whether a message genuinely originated from the domain it claims to represent.

Why SPF, DKIM, and DMARC Authentication Matter for Phishing Detection

Every email is accompanied by an authentication record documenting whether the sending domain passed three core checks:

• SPF: Confirms the message was sent from an authorized server
• DKIM: Confirms the message content was not altered in transit
• DMARC: Confirms the visible sender domain aligns with the authenticated sending infrastructure

Legitimate emails from reputable organizations pass all three. Spoofed emails frequently fail one or more.

How to Check Email Authentication in Gmail, Outlook, and Apple Mail

In Gmail, open the message, select the three-dot menu, and choose "Show original." The top of the resulting page displays a plain summary showing whether SPF, DKIM, and DMARC each read "PASS" or "FAIL."

In Outlook, open the email in its own window, select File, then Properties, and locate the "Internet headers" field. In the web interface, select the three-dot menu and choose "View message details," then locate the Authentication-Results line.

In Apple Mail, navigate to View> Message> All Headers. The Authentication-Results field appears above the message body.

What SPF, DKIM, and DMARC Results Tell About a Suspicious Email

A legitimate message returns:

• spf=pass
• dkim=pass
• dmarc=pass

Any "fail," "softfail," or "none" result on a message requesting credentials, a payment, or sensitive information warrants immediate suspicion. A DMARC failure on a message claiming to originate from a financial institution or corporate domain is a strong indicator of fraud regardless of how legitimate the content appears.

Recipients who find raw headers difficult to parse can paste the full header text into the Google Admin Toolbox Message Header Analyzer at toolbox.googleapps.com/apps/messageheader for a plain-language summary.

Key takeaway: The email header authentication is available to any recipient regardless of technical background, takes under sixty seconds, and provides more reliable sender verification than any visual inspection of message content.

Sign 10: Channel-Switching Instructions: A Key Callback Phishing Red Flag

When an unsolicited message instructs the recipient to call a phone number, reply via SMS, log in to an unfamiliar portal, or continue a conversation through a personal email address, that channel-switching instruction is itself a phishing indicator, regardless of how legitimate the surrounding message appears.

Why Phishing Attackers Redirect Victims to Phone or SMS, and What It Means for Detection

Enterprise email environments are monitored by security gateways, URL scanners, and threat detection systems that analyze message content, links, and attachments. By moving the victim to a phone call, an SMS thread, or an unmonitored portal, the attacker exits that monitored environment entirely. The interaction that follows occurs outside the visibility of the organizational security infrastructure.

Suspicious Email Red Flags: Phone Numbers, SMS Redirects, and Remote Access Requests

The following instructions in an unsolicited email warrant immediate suspicion:

• A phone number to call to resolve an account issue or cancel a subscription
• An instruction to reply via SMS or WhatsApp rather than email
• A link to an unfamiliar portal described as a secure communication platform
• A request to continue the conversation through a personal email address
• An instruction to download a remote access tool such as AnyDesk or TeamViewer

Key takeaway: No legitimate financial institution, software vendor, or internal IT function initiates contact via unsolicited email and then directs the recipient to call a number in that message. Independent verification through a number sourced from the organization's official website is the appropriate response.

Sign 11: Contextual Anomalies: When the Email Does Not Match Reality

As phishing campaigns incorporate more accurate personal and organizational data, surface-level indicators become less reliable. In these cases, the most valuable detection signal is contextual: something about the situation described in the email does not align with the recipient's experience.

Examples of Contextual Red Flags in Spear Phishing and BEC Emails

Contextual anomalies are inconsistencies between what the email describes and what the recipient knows to be true. Common examples include:

• An email from a known vendor referencing a project, contract, or purchase order the recipient has no involvement with
• An invoice for goods or services the organization did not order, particularly one that includes new payment details
• A message from an internal colleague referencing a conversation or decision the recipient has no record of
• A notification from a platform or service the recipient does not use or has not recently interacted with
• A request that falls outside the recipient's normal responsibilities or that bypasses the expected organizational process

Spear phishing campaigns cannot reliably replicate the recipient's internal knowledge of their own context: which projects they are assigned to, which vendors they work with, and which processes would normally precede a specific request.

How to Verify a Contextual Anomaly Before Acting

A contextual anomaly that cannot be immediately explained warrants verification before any action is taken. Contacting the purported sender directly using a known, pre-existing contact method, with no details provided in the email itself, is sufficient to confirm or rule out the anomaly. If the sender is unaware of the message, the organization's security team should be notified immediately.

Key takeaway: That gap between what the email claims and what the recipient knows is a detection surface that AI-assisted phishing has not eliminated.

Sign 12: Prize, Refund, and Windfall Lures as Suspicious Email Red Flags

Prize notifications, unclaimed refund alerts, cryptocurrency windfall announcements, and inheritance notifications are among the oldest and most persistent phishing lure categories. Despite decades of public awareness, this category continues to produce victims in sufficient numbers to remain a fixture of the phishing landscape.

Common Phishing Email Lure Examples: Prizes, Refunds, Crypto Windfalls, and Inheritance Scams

Too-good-to-be-true phishing emails typically present one of the following scenarios:

• A prize notification informing the recipient that they have won a drawing or competition, with a link or phone number to claim the reward
• An unclaimed refund alert from a government agency, utility provider, or retailer, requesting banking details to process funds
• A cryptocurrency windfall describing an unclaimed balance or investment return requiring account verification to access
• An inheritance or estate notification from a legal representative, describing a sum held pending identity verification
• A loyalty reward or employee recognition notice requiring login to an unfamiliar portal to claim a gift card or bonus

How to Check if a Prize or Refund Email Is a Phishing Scam

The most immediate verification step is straightforward: determine whether the recipient has any prior relationship with the contest, program, or institution making the claim. Legitimate prize notifications arrive only to documented participants in a specific promotion. If the recipient has no memory of entering a contest and no existing account with the notifying organization, the notification is fraudulent.

The Psychology Behind Phishing Lures: Why Intelligent People Still Fall for Prize Scams

Their persistence reflects two well-documented characteristics of human psychology:

Optimism bias: the tendency to assign higher probability to positive outcomes than evidence warrants, particularly when the stated cost of claiming a reward appears low.

Ambiguity exploitation: many recipients are genuinely uncertain whether they entered a promotion or whether a refund is owed, and that uncertainty creates a decision window that phishing campaigns exploit.

Attackers calibrate reward amounts to sit within a plausible range rather than an implausible one. A $47 refund notification from a known retailer is more effective than a $10 million inheritance claim precisely because it falls within the range of experiences a recipient might plausibly have forgotten.

Key takeaway: Recipients of any too-good-to-be-true offer should navigate directly to the relevant organization's official website through a saved bookmark, not through any link in the email, and check for notifications within an authenticated account session.

Sign 13: QR Codes in Unexpected or Unsolicited Communications

QR code phishing, or quishing, has become a significant and technically distinct attack variant. Its core advantage is that standard email security gateways scan text and URLs in message content but cannot interpret the destination encoded within a QR code image.

A malicious URL delivered via QR code arrives in the inbox without triggering the detection mechanisms that would flag an identical hyperlink.

Where QR Code Phishing (Quishing) Appears: Email, PDFs, Teams, and Physical Locations

QR code phishing delivery locations include:

• The email body, presented as a prompt to scan the code to verify an account or access a document
• PDF attachments embedded within invoices, delivery notifications, or contracts requiring signature
• Printed materials in physical locations, including flyers, parking notices, and package delivery slips
• Microsoft Teams messages and collaboration platform notifications redirecting recipients to credential harvesting pages outside the monitored corporate environment

Why QR Code Phishing Bypasses Corporate Security Tools

QR codes introduce a compounding detection challenge. The email arrives on a corporate device monitored by organizational security tools. The recipient scans the code with a personal mobile device operating outside the security perimeter, accessing the malicious destination with no enterprise threat protection, no URL filtering, and no visibility for the organization's security team.

How to Preview a QR Code URL Before Visiting It: Quishing Protection on iOS and Android

Both major mobile operating systems provide a native preview mechanism allowing the recipient to inspect the destination before the browser opens it.

On iOS, opening the Camera app and pointing it at a QR code causes a notification banner to appear, displaying the destination URL. This banner should be read carefully before tapping.

On Android, the native Camera app on most current devices displays a URL preview banner when the camera is pointed at a QR code. Google Lens, available on all Android devices, provides the same functionality.

On both platforms, the registered domain, the segment immediately to the left of the top-level domain, is the critical component to verify. The same logic used for the link verification mentioned in Sign 4 also works well here.

Key takeaway: QR codes in unsolicited communications that create urgency around account verification or payment confirmation warrant the same scrutiny as unexpected hyperlinks.

Sign 14: Callback Phishing and Vishing: Voice-Based Phishing Attack Red Flags

Callback phishing is notoriously difficult to detect with conventional security tooling. The message contains only a phone number and a pretext for calling it, meaning URL-scanning tools, sandbox analysis, and email security gateways have no malicious content to flag. The email passes every automated filter and lands in the inbox clean.

How Fast Callback Phishing Is Growing

According to the CrowdStrike 2025 Global Threat Report, voice phishing attacks increased 442% between the first and second halves of 2024.

The number reflects a deliberate strategic evolution from only link-based delivery toward voice-based social engineering, which operates entirely outside the reach of email security infrastructure.

How Callback Phishing Works

The attack begins with an email designed to provoke alarm or confusion without containing any technical payload. Common pretexts include:

• A subscription renewal notice for an unauthorized service, listing a large charge and a cancellation number
• A security alert warning of suspicious account activity, with a support number to call immediately
• An order confirmation for a purchase the recipient did not make, with a dispute number to contact

When the recipient calls, an operator guides them through a social engineering sequence, instructing them to install remote access software such as AnyDesk or TeamViewer, provide account credentials for verification, or authorize a transaction that transfers funds to an attacker-controlled account.

Key takeaway: Recipients should exercise caution toward any communication that directs them away from the email or a controlled environment, as this may indicate a callback phishing attempt.

Sign 15: Phishing Links Hidden Inside SharePoint, DocuSign, and Google Sites URLs

A sophisticated and increasingly prevalent phishing technique involves hosting malicious content on infrastructure operated by trusted cloud providers rather than on attacker-registered domains.

Documented by security researchers as Living off the Trusted Sites (LoTS), this approach exploits the reputational trust of major platforms to simultaneously bypass automated security scanning and manual recipient inspection.

How Living off the Trusted Sites (LoTS) Phishing Hides Malicious Pages on Trusted Cloud Platforms

Rather than directing the recipient to a suspicious domain, the attacker hosts the phishing page or credential harvesting form on a platform with an established, trusted domain. Examples include:

• sharepoint.com: a SharePoint site configured to redirect to a malicious page or collect credentials through an embedded form
• docusign.net: a spoofed signing request that redirects the recipient to a credential harvesting page after the initial DocuSign-branded interaction
• dropbox.com: a shared file link that delivers a malicious document or redirects to a phishing login page
• sites.google.com: a Google Sites page replicating a corporate login portal or document access prompt
• onedrive.live.com: a shared file notification directing the recipient to a cloned Microsoft 365 login page

Because these domains carry valid TLS certificates and established reputations, the links pass email security gateway filters, URL reputation checks, and the manual hover-inspection technique described in Sign 4.

Why 'Check the Domain' Fails Against Trusted-Platform Phishing: What to Do Instead

LoTS attacks exploit a structural assumption embedded in most security awareness training: that a recognizable domain indicates a safe destination. This holds for direct-hosted content but fails when a trusted platform serves as an intermediary hosting layer for attacker-controlled content.

Additionally, many organizations maintain explicit allowlists for major cloud platforms, meaning links to SharePoint, Dropbox, and Google Sites bypass security gateway inspection entirely as a matter of policy.

A SharePoint URL with an unfamiliar tenant name, a Google Sites URL not corresponding to a known organizational property, or a DocuSign link arriving without a prior document exchange should each be treated with the same scrutiny applied to links on unrecognized domains.

Key takeaway: The presence of a recognized domain is not sufficient verification that a destination is safe. The full URL, including the path and any parameters following the domain, warrants inspection.

Sign 16: MFA Fatigue and Push Notification Bombing

Multi-factor authentication (MFA) is an effective control against unauthorized account access. However, cybercriminals have responded by weaponizing the MFA mechanism itself. MFA fatigue, also known as push bombing, often begins with a phishing email that initiates the attack sequence.

How MFA Fatigue Attacks Work: Repeated Push Notifications and What Attackers Are Waiting For

The attack requires a threat actor who has already obtained valid credentials through a prior credential harvesting campaign, a data breach, or a password spray attack. With those credentials, the cybercriminal initiates repeated login attempts, each triggering an MFA push notification to the recipient's registered device. The recipient receives a stream of "Approve your sign-in" prompts they did not initiate.

The objective is fatigue. The attacker repeats the login attempt continuously until one of three outcomes occurs:

• The recipient approves a prompt out of confusion or frustration
• The recipient approves a prompt simply to stop the notifications
• The recipient contacts the help desk, at which point a social engineering call may follow, impersonating IT support and requesting prompt approval to resolve the issue

How a Phishing Email Sets Up an MFA Fatigue Attack

MFA fatigue attacks frequently include a phishing email as a preparatory element. Common patterns include a message warning of unusual sign-in activity and instructing the recipient to approve the next prompt to secure their account, or a spoofed IT communication explaining that a system migration requires prompt confirmation.

Both framings provide a plausible explanation for incoming notifications, reducing the likelihood that the recipient recognizes the attack.

Key takeaway: No legitimate system, IT department, or security team will ever instruct a recipient to approve an MFA prompt through an email or phone call they did not initiate. Push notifications should be approved only when the recipient has just attempted to log in and is expecting the prompt.

4 Phishing Email Examples and How to Spot Them

The strategies outlined above provide a strong foundation for practical application. The following examples demonstrate how to identify phishing emails, beginning with a PayPal suspended account notification, a characteristic instance of a standard phishing attempt:

This email contains four clear indicators of a phishing attempt:

1. An inconsistent sender domain: the rightmost segment of the domain, immediately before ".com," reveals the address "http://paypal-accounts.com", which is not a legitimate domain, as an authentic message would originate from "http://paypal.com"
2. A generic greeting: "Dear PayPal Customer" suggests the sender does not have access to the recipient's name, as a legitimate communication would
3. A sense of urgency: the reference to a 24-hour window is an arbitrary timeframe designed to pressure the recipient into acting without scrutiny
4. A catastrophic outcome: the threat of permanent account disablement is intended to provoke immediate action through fear

Beyond the greeting and the sender domain, the overall tone of the message serves as an additional indicator. No legitimate organization would communicate with its users in language that resembles a threat rather than a notification of an account issue.

It is also worth noting that the email is generally well composed, with a tone consistent with the impersonated brand, and that the visual presentation is convincing enough to deceive a recipient, particularly on a smaller mobile screen.

The following example examines a phishing attempt targeting CEO fraud:

This message also contains identifiable indicators that may trigger suspicion:

1. External sender alerts: the tag flagging the message as originating outside the organization constitutes an indicator in itself
2. The sender address: a corporate email ending in "gmail.com" is atypical in professional settings, particularly when accompanied by a formal signature
3. An off-channel request: the attacker attempts to move the conversation to a platform under their full control, away from monitored organizational channels

The challenge with this message is that most indicators are individually explainable given the circumstances. An executive traveling, for instance, might justify each of those signals in isolation. The mere fact that the message appears to originate from the chief executive officer is sufficient to activate the psychological triggers that the attacker relies upon.

The following example presents a specific business-to-business scenario involving a technique known as thread hijacking, in which a malicious actor inserts a message into an existing email thread to deliver a payload through a malicious attachment. This approach is particularly dangerous because it exploits an active conversation to lend credibility to the attempt.

The final example of a phishing email comes from cybersecurity expert Troy Hunt, who fell victim to a scam.

Compared to the previous examples, this email contains virtually no identifiable indicators of fraudulent intent, except for the generic "Hello" greeting in place of the recipient's name. Even that detail is plausible in the context of a formal security notification.

The remaining elements are carefully constructed, as the recipient himself has noted. The message activates a fear response without resorting to overt threats, such as the 24-hour deadline and permanent account disablement observed in the PayPal example.

The level of urgency is deliberately moderated to enhance credibility and, consequently, the likelihood of a response. The writing is grammatically sound without being excessively formal, further reinforcing the appearance of legitimacy.

How to Tell if an Email Is Phishing on Mobile

Mobile devices introduce distinct detection challenges that compound the difficulty of identifying phishing emails.

Smaller screens truncate sender addresses and URLs, email clients default to displaying friendly names rather than underlying addresses, and the pace of mobile email consumption reduces the time recipients allocate to evaluating individual messages.

The detection principles covered in the checklist above apply on mobile, but the mechanics of applying them differ in important ways.

How to Verify the Sender on a Mobile Phishing Email for iOS and Android

Mobile email clients, including Gmail, Outlook for iOS and Android, and Apple Mail, display the sender's friendly name by default, suppressing the underlying email address unless the recipient taps the sender name to expand the full address field.

Verification requires tapping the sender's name within the open message to reveal the actual email address. The domain component following the "@" symbol should be read carefully against the legitimate domain of the purported sender.

On a small screen in a standard mobile font, the substitution of "rn" for "m" in a domain such as rnicrosoft.com is considerably harder to detect than on a desktop display, and number-for-letter substitutions such as paypa1.com require deliberate character-by-character reading.

How to Inspect Phishing Links on Mobile Using Long-Press Preview

Hovering is not available on mobile. The equivalent action is a long press on any hyperlinked text or button, which displays a preview panel showing the destination URL. This preview should be read before any tap that would open the link. The registered domain immediately to the left of the top-level domain is the critical component to verify.

For additional verification, the URL can be copied from the preview panel and submitted to free link checkers. On iOS, copying requires pressing and holding the URL text within the preview panel. On Android, the long-press menu typically includes a "Copy link" option directly.

QR Code Inspection on Mobile: Detecting Quishing on iOS and Android

On iOS, pointing the native Camera app at a QR code displays a notification banner showing the destination URL before any navigation occurs. On Android, the native Camera app on most current devices provides the same preview, and Google Lens offers equivalent functionality. The destination domain should be verified against the legitimate domain of the organization the QR code claims to represent before tapping.

How to Check Phishing Email Header Authentication on Mobile: Gmail, Outlook, and Apple Mail

In the Gmail mobile app, tapping the three-dot menu and selecting "Show original" opens a browser view that displays the SPF, DKIM, and DMARC summaries. In Outlook for mobile, full header access requires forwarding the message to a desktop client or accessing the Outlook web interface in a mobile browser. In Apple Mail on iOS, header visibility is limited compared to the desktop client.

Why Phishing Attacks Are More Dangerous on Mobile: Amplified Red Flags to Watch For

Several phishing indicators are heightened in the mobile context:

• Urgency language is more effective because the compressed reading environment reduces the time available for critical evaluation before a tap is made
• Channel-switching instructions are structurally easier to act on. A phone number becomes a one-tap call, and an SMS redirect requires no additional steps
• MFA push notifications arrive on the same device used to read the email, compressing the gap between the phishing trigger and the requested approval
• Callback phishing pretexts are particularly effective because the phone number is immediately actionable with a single tap.

Mobile Phishing Detection Checklist: 5 Practices for Every Suspicious Email

• Tap the sender's name in every unexpected message to reveal the underlying email address before reading the content
• Use long-press on all links to preview the destination URL before tapping
• Treat all QR codes in unsolicited emails as suspicious until the destination URL has been verified in the preview banner
• Avoid approving any MFA push notification that arrives on the same device being used to read an email about account security
• Verify any financial request, credential prompt, or sensitive action through an independent channel before completing it on a mobile device

Spotting Phishing Emails at Work: Enterprise Attack Types and How to Identify Them

The phishing email red flags covered in the detection checklist apply across both consumer and enterprise contexts. Enterprise environments, however, present a distinct threat profile that goes beyond surface-level red flags.

The combination of high-value financial processes, complex organizational structures, privileged system access, and established vendor relationships creates specific attack surfaces that threat actors exploit through these phishing attack types.

Several of these variants warrant individual attention because their detection depends not only on recognizing surface-level warning signs but on understanding the organizational process being impersonated and identifying where it has been manipulated.

Awareness constitutes a foundational defense against these variants, given the precision with which they are constructed and the specificity of their targeting. A workforce unaware of their existence has very little chance of stopping them.

What Is Business Email Compromise (BEC)? Signs, Patterns, and How to Detect

Unlike broad phishing campaigns, BEC operations are precision-targeted and designed specifically to pass every traditional phishing detection test.

BEC emails frequently originate from compromised legitimate accounts or convincingly spoofed domains, contain no malicious links or attachments, and use accurate organizational context written in a professional register that matches the impersonated sender. There is no technical payload to flag and no URL to inspect. The fraudulent element is entirely contained within the request itself.

Detection depends on recognizing process anomalies rather than technical indicators:

• Executive impersonation: an urgent financial request appearing to originate from a senior executive, often with an instruction to keep the transaction confidential and bypass normal approval channels
• Abnormal payment instructions: a request to wire funds to a new or unfamiliar account, citing a time-sensitive business reason such as an acquisition or regulatory requirement
• Vendor banking detail changes: a supplier communication requesting payment redirection to a new bank account, typically arriving shortly before a scheduled invoice payment
• Payroll redirection: a message impersonating an employee and instructing HR to update direct deposit details ahead of the next pay cycle

Any request matching the patterns above warrants verification. The purported sender should be contacted directly using a phone number from an established internal directory to confirm both that the request is genuine and that the account details provided are correct.

What Is a CEO Fraud Email and How to Spot a CEO Phishing Scam

CEO fraud is a BEC variant in which the attacker impersonates a senior executive, most commonly the CEO or CFO, to instruct an employee to execute an urgent financial transaction. The two most common requests are a wire transfer to an unfamiliar account and the purchase of gift cards with instructions to return the redemption codes via email. This variant generates substantial losses by exploiting authority, urgency, and workplace hierarchy simultaneously.

Why CEO Fraud Emails Work: Authority Bias and the Psychology of Executive Impersonation

Employees conditioned to respond promptly to executive requests experience a specific psychological tension when an instruction comes from an organizational authority figure. Questioning the request feels professionally risky in a way that the same response to a colleague would not.

Attackers amplify this tension by framing the transaction as time-sensitive, confidential, and personally important to the executive. The message itself is typically brief, direct, and free of surface-level phishing indicators, and may arrive from a compromised executive account, meaning even sender verification may not immediately identify the fraud.

How to Spot a CEO Fraud Email

To spot a CEO fraud email, look for behavior and requests that do not match the company's normal processes:

• A message from an apparent executive requesting an urgent wire transfer or gift card purchase, framed as confidential and requiring immediate action
• An instruction to purchase specific gift card brands and return redemption codes by email, citing a client gift, employee reward, or personal emergency
• A request explicitly discouraging verification, such as "handle this quietly" or "do not involve finance."
• A sender address matching the executive's display name but originating from a personal email domain or a lookalike corporate domain

How to Verify a CEO Fraud Attempt

Verification must use contact details that exist independently of the suspicious message:

1. Do not call any number, reply to any address, or use any contact details contained in the email
2. Locate the executive's phone number from an established internal directory or prior verified correspondence
3. Call the executive directly and confirm both that the request is genuine and that the specific transaction details are correct
4. If the executive cannot be reached, escalate to a second authorized contact within the finance or security team using the same independently sourced contact method
5. Notify the organization's security team regardless of the outcome

No legitimate executive will object to a verification call for a financial transaction. An instruction that explicitly discourages verification is itself confirmation that the request is fraudulent.

What Is Spear Phishing? How It Differs from Regular Phishing and How to Identify It

Spear phishing is a targeted variant of conventional phishing in which the attacker constructs a message tailored to a specific individual using open-source intelligence (OSINT): the systematic collection of publicly available information from sources including LinkedIn profiles, corporate websites, press releases, social media activity, and data breach repositories.

From this data, the attacker extracts the target's name, job title, reporting relationships, current projects, and vendor contacts, assembling a profile that informs a message designed to appear entirely credible to that specific recipient.

Why Spear Phishing Bypasses Standard Phishing Detection, and What to Look for Instead

Because spear phishing messages are built around accurate personal and organizational details, they routinely pass the surface-level detection checks that identify generic phishing campaigns.

The sender may appear to be a known colleague, the referenced project or vendor relationship may be genuine, and the requested action may fit plausibly within the recipient's professional responsibilities, with no malicious link, no suspicious attachment, and no urgency language present.

Spear phishing frequently serves as the entry point for larger attack sequences rather than a standalone campaign. A successful interaction that harvests credentials or establishes a foothold can precede ransomware deployment, lateral movement across internal systems, or a BEC campaign exploiting the compromised account's established trust relationships.

How to Spot a Spear Phishing Email

Detection relies primarily on contextual anomaly signals. Specific indicators include:

• A message referencing a project or vendor with sufficient accuracy to appear credible but insufficient specificity to be independently verified
• A request from a known contact that falls outside that contact's normal responsibilities or communication patterns
• An action requested through email only, with no corresponding confirmation through an established internal channel
• A communication creating a reason to bypass standard approval processes, framed as urgency, confidentiality, or executive instruction

Any message incorporating accurate personal detail while requesting an action outside normal workflow warrants independent verification before compliance, using a contact method established prior to and independent of the message under review.

What Is a Whaling Attack? How to Identify Whaling Phishing Targeting Executives

Whaling is a spear phishing variant targeting senior executives, including the CEO, CFO, and CISO. Rather than casting a wide net, the campaign focuses on the highest-value individuals within an organization: those with authority to approve significant financial transactions, access sensitive strategic information, or instruct subordinates to take consequential actions without triggering standard approval processes.

Why CEOs, CFOs, and CISOs Are the Top Whaling Phishing Targets

Senior executives present a combination of characteristics that make them disproportionately valuable as phishing targets:

• They hold direct authorization over wire transfers and vendor contracts
• Their names, roles, and professional activities are extensively documented in public sources, providing rich OSINT (Open Source Intelligence) material for personalized lure construction
• They frequently communicate outside standard organizational workflows, making process anomalies harder to identify
• They are often subject to less frequent security awareness training than the broader employee population, creating a detection gap at the point of highest organizational risk

How Whaling Attacks Combine with BEC to Execute Fraudulent Wire Transfers

Whaling campaigns are most commonly deployed in combination with business email compromise to execute fraudulent wire transfers, operating in two directions. In the first, the executive is the target: a message impersonating a board member, legal representative, or major vendor instructs the executive to authorize a transfer or disclose sensitive financial information.

In the second, the executive is the impersonated party: a compromised or spoofed executive account instructs a finance team member to process an urgent payment, leveraging organizational authority to bypass standard approval requirements.

How to Spot a Whaling Email: CEO Fraud Red Flags for Executives and Their Teams

• A message directed at a senior executive referencing a confidential transaction or acquisition and requesting urgent action outside normal channels
• An instruction from an apparent executive account to a finance or HR team member that bypasses documented authorization requirements
• A communication from a board member or legal counsel requesting sensitive financial data or account credentials
• An executive-level request arriving exclusively through email with an instruction not to discuss the matter with colleagues

Any financial instruction originating from or directed to an executive account warrants multi-channel verification using a number from an established internal directory, independent of the message under review.

What Is Clone Phishing and How to Spot It

Clone phishing involves reproducing a legitimate email the recipient has previously received, replacing the original links or attachments with malicious versions while preserving the visual structure, branding, sender name, and message content of the genuine communication. The resulting message is structurally identical to an email the recipient already trusts because it is a direct copy of one.

How a Clone Phishing Email Works

The attacker reproduces a legitimate email with high fidelity, substituting the original link or attachment with a malicious equivalent, and sends the cloned message from a spoofed or lookalike sender address constructed through typosquatting.

The accompanying pretext typically frames the message as a resend, a corrected version, or an updated document, providing a plausible explanation for why the recipient is receiving what appears to be a duplicate communication.

The technique eliminates the contextual anomalies recipients are trained to identify. The sender's name is familiar, the message format matches prior legitimate correspondence, the subject line references a previous interaction, and the requested action is consistent with the original email's requirements. Every visible element matches a communication the recipient has already processed and trusted.

How to Spot a Clone Phishing Email?

• A message framed as a resend, correction, or updated version of a prior communication, particularly one arriving without a clear explanation of what was incorrect in the original
• A sender address that closely resembles but does not exactly match the domain of the original sender, requiring character-level inspection to identify the discrepancy
• A link or attachment that does not match the destination or file name present in the original communication
• An unexpected follow-up to an automated notification, invoice, or transactional email the recipient did not expect to receive again

When a message appears to duplicate a prior communication, the links or attachments in the new message should not be used. The recipient should locate the original email, verify the sender address and link destination in that message, and use those verified elements exclusively. If the original cannot be located or the follow-up appears to originate from a slightly different address, the sender should be contacted to confirm whether the resend is legitimate.

Who Phishing Attacks Target: The Most Targeted Industries and Roles

Phishing campaigns are not distributed uniformly. Threat actors allocate targeting resources based on the financial value of accessible assets, the sensitivity of held data, and the exploitability of sector-specific workflows.

Most Targeted Industries in Phishing Attacks: Finance, Healthcare, Manufacturing, and More

According to the APWG Q4 2025 Phishing Activity Trends Report, the most heavily targeted sectors by phishing are social media (20.3%), SaaS and webmail platforms (20.3%), telecommunications (18.7%), financial institutions (9.3%), and eCommerce and retail (8.7%). Industry-specific lure patterns include:

• Financial services: fraudulent wire transfer authorizations, regulatory compliance notifications, and account verification requests impersonating payment processors or internal treasury functions
• Healthcare: credential harvesting targeting electronic health record portals, insurance reimbursement notifications, and invoice fraud targeting medical procurement teams
• Manufacturing and logistics: vendor impersonation targeting procurement and accounts payable functions, freight invoice fraud, and delivery notification lures harvesting shipping portal credentials
• Public administration: credential harvesting targeting government email systems, grant notification fraud, and tax authority impersonation campaigns
• Technology and SaaS: OAuth consent phishing targeting developer credentials, software license renewal fraud, and domain expiration notifications harvesting registrar account access
• Hospitality: reservation confirmation fraud targeting hotel and restaurant booking systems, loyalty program credential harvesting campaigns impersonating major travel brands, and supplier invoice fraud targeting food and beverage procurement teams
• Retail: payment processing credential harvesting targeting point-of-sale system administrators, gift card fraud campaigns targeting customer service teams, and supplier impersonation attacks targeting merchandise procurement and accounts payable functions

Which Employee Roles Are Most Targeted by Phishing and Why

Targeting by role reflects access level and decision-making authority rather than seniority alone:

• Finance and accounts payable: primary targets for BEC, wire transfer fraud, and vendor payment redirection due to direct access to payment authorization systems
• Human resources: targeted for payroll redirection, W-2 fraud, and employee data harvesting that provides OSINT material for subsequent spear phishing operations
• IT and system administrators: targeted for privileged credential harvesting seeking access to internal systems, cloud infrastructure, and identity management platforms
• Executive assistants: targeted as proxy access points to executive accounts, calendar systems, and financial authorization workflows
• Legal and compliance: targeted for sensitive document requests and contract fraud campaigns that exploit the expectation of confidentiality
• New employees: targeted during onboarding when familiarity with internal processes and verification procedures is lowest

Across industries and roles, the unifying characteristic of enterprise phishing is the exploitation of a specific legitimate workflow. Detection depends as much on process adherence and a culture of verification as on individual recognition of phishing email red flags.

Understanding which attack type is most likely and whether a given role is a high-priority target informs how quickly to escalate and which internal teams to involve when a suspicious email arrives.

Refer to the 10 Tips to Counter Phishing Attacks guide, a practical framework covering the training techniques and awareness strategies that reduce phishing susceptibility across enterprise teams.

What to Do With a Suspected Phishing Email: The Step-By-Step Response Guide

Identifying a suspicious email is only the first step. The actions taken immediately after determine whether the threat is contained or escalated into a broader incident.

Step 1: Do Not Click, Reply, or Forward Any Suspected Phishing Email

Any interaction with the email carries risk. Replying confirms to the attacker that the address is active and monitored. Forwarding may expose additional recipients to the same threat. If the email was opened, close it without interacting with any element of its content.

Step 2: Do Not Use the Unsubscribe Link of a Phishing Email

Clicking an unsubscribe link in a phishing email confirms to the attacker that the address is valid and responsive. In a phishing context, the unsubscribe link is either a tracking mechanism, a malicious link, or both.

Step 3: Report the Suspected Phishing Email Through the Right Channel

Most enterprise email environments provide a dedicated reporting mechanism that submits the message directly to the organization's security team for analysis, without requiring further interaction with the message. Reporting suspected phishing emails, even those that turn out to be legitimate, provides threat intelligence that improves detection for the entire organization.

Avoid forwarding the email to the security team, as that can verify the email and send tracking information about the company to the cybercriminals.

Step 4: Notify the IT or Security Team Directly

In addition to using the in-client reporting button, notify the IT or security team through an independent channel such as an internal ticketing system or a direct message to a known security contact. This step is particularly important when the suspected email references an internal system, an executive, a vendor relationship, or a financial process requiring immediate investigation.

Where to Report a Phishing Email: APWG, FBI IC3, FTC, CISA, and Google

Reporting suspected phishing emails to external organizations contributes to collective threat intelligence and supports law enforcement investigations. The following resources accept phishing reports from individuals and organizations:

• APWG: forward suspected phishing emails to reportphishing@apwg.org or submit through apwg.org/reportphishing. The APWG aggregates phishing data to produce the quarterly Phishing Activity Trends Report referenced throughout this guide
• FBI IC3: file a complaint at ic3.gov. The IC3 accepts reports of phishing, BEC, and cybercrime-enabled fraud and refers actionable complaints to law enforcement agencies
• FTC: report phishing at reportfraud.ftc.gov. The FTC uses complaint data to identify fraud patterns and support consumer protection enforcement
• Microsoft: use the Report Message add-in in Outlook to submit phishing emails directly to Microsoft's threat intelligence infrastructure
• Google: select "Report phishing" from the three-dot menu in Gmail. Full instructions at support.google.com/mail/answer/8253
• CISA: report phishing affecting critical infrastructure at cisa.gov/report or by calling
• PhishTank: submit suspected phishing URLs at phishtank.org for community verification and inclusion in security tool databases
• Outside the U.S.: For support outside the United States, report to the NCSC in the United Kingdom, the Canadian Anti-Fraud Centre, and the Australian Cyber Security Centre. Most countries have a regional equivalent for phishing reporting

What Should a Person Do if They Clicked on a Phishing Link or Opened a Phishing Attachment

Clicking a phishing link or opening a malicious attachment does not automatically result in a breach. The outcome depends on what was clicked, what information was entered, and how quickly the response is executed.

Step 1: Act Immediately: Why Reporting a Phishing Click Fast Is the Most Important Step

The instinct to delay reporting due to embarrassment is a damaging response to a phishing click. Security teams are equipped to handle these incidents and cannot do so effectively without prompt notification. Every minute between the click event and the security team's awareness represents additional exposure time for any malware deployed or credentials harvested. On a personal level, the same mandate for quick action with no panic holds.

Step 2: Disconnect the Device From the Network

Immediately disable Wi-Fi and unplug any Ethernet connection. This prevents potential malware from communicating with attacker-controlled infrastructure or spreading laterally across the network. Do not power off the device, as this may overwrite volatile memory containing forensic evidence that the security team needs to determine the scope of the compromise.

Step 3: Identify What Was Clicked and What Information Was Entered

Reconstruct the sequence of events:

• Which link was clicked or attachment opened
• Whether credentials were entered and on which platform
• Whether the same password is used on other accounts
• Whether personal or financial information was submitted
• Whether any file was downloaded or executed
• The approximate time the interaction occurred

Step 4: Change Compromised Passwords from a Clean Device After a Phishing Click

Passwords should be changed from a separate device not involved in the interaction, as the affected device may be running credential-stealing malware. Prioritize in this order:

1. The compromised account
2. Any account sharing the same password
3. Email accounts
4. Financial accounts
5. Account accessed from the affected device following the click

Step 5: Enable Multi-Factor Authentication

Enable MFA immediately on the compromised account and any related accounts, using a clean device. If MFA was already active and credentials were still captured, notify the security team immediately, as the attack may have involved an AiTM phishing kit capable of intercepting session tokens after MFA verification.

Step 6: Notify the Security Team Immediately and What Information to Provide

Notify the security team providing the full reconstructed sequence of events. The security team will isolate the affected device, review authentication logs, revoke active sessions, assess whether lateral movement or data exfiltration occurred, and determine whether additional accounts were accessed using the compromised credentials.

For personal scenarios, contact the bank if the phishing resulted in a financial scam, or directly contact the support team of the compromised account for any questions or the best additional procedures.

Step 7: Monitor Affected Accounts for Suspicious Activity

Review login history, active sessions, account setting changes, outbound messages or transactions the account holder did not initiate, and newly authorized devices or applications across all potentially compromised accounts in the weeks following the incident.

Step 8: Address Personal Data Exposure

If personal information, including Social Security numbers, financial account details, or identity data, was submitted on the phishing page:

• Contact relevant financial institutions to place a fraud alert or account freeze
• File a report with the FTC at reportfraud.ftc.gov
• Place a credit freeze with Equifax, Experian, and TransUnion to prevent new accounts from being opened in the victim's name
• Monitor credit reports for unauthorized account openings or inquiries

If the interaction occurred on a personal device that had access to organizational accounts or systems, notify the IT or security team regardless, and run a reputable malware scan before reconnecting the device to any network.

Why People Fall for Phishing Emails: The Psychology of Social Engineering

Following the steps above is straightforward in principle. What makes it genuinely difficult is the conditions under which the decision to click is made. The more important question is why intelligent, security-aware individuals, including professionals who teach others to recognize phishing, continue to fall victim to attacks they would identify immediately under different conditions.

Decision Fatigue: Why Phishing Attacks Succeed More Often at the End of the Workday

The human capacity for careful evaluation depletes across the course of a day. Consider a recipient who encounters a suspicious email at 9 am, alert and focused, applies meaningfully different scrutiny than the same recipient encountering the same email at 6 pm following a full workday of meetings and context-switching.

Phishing campaigns benefit from this asymmetry without needing to engineer it. Attackers operating at scale rely on the statistical certainty that a portion of recipients will be fatigued or cognitively overloaded at the moment of delivery.

Authority Bias: Why Emails from 'the CEO' or 'IT Support' Bypass Critical Thinking

Authority bias is the tendency to assign greater credibility to messages that appear to originate from figures of institutional authority. A message appearing to come from the CEO, IT department, or a regulatory body activates the same deference response that a genuine message from those sources would.

The recipient does not consciously decide to trust the sender; trust is conferred automatically before any critical evaluation begins, compressing the window in which the request is scrutinized.

The Fear Response: How Phishing Emails Create Just Enough Urgency to Trigger Action

Phishing messages triggering fear, such as account suspension, financial penalty, or unauthorized access, activate the brain's threat response. Phishing campaigns exploit this by constructing scenarios that feel threatening without being extreme enough to trigger conscious alarm. A message that is too alarming triggers skepticism; one that creates precisely calibrated concern produces action before reflection.

The Troy Hunt Mailchimp Breach: How a Phishing Attack Succeeded Against a Security Expert

Troy Hunt is the founder of Have I Been Pwned, a Microsoft Regional Director, and a security educator who has dedicated his career to teaching others to recognize phishing attempts. In March 2025, he became a victim of precisely the type of attack he instructs others to identify.

In a detailed post on his personal blog, Hunt documented how a phishing email impersonating Mailchimp claimed his account had been restricted due to a spam complaint. Several factors contributed to the success of the attack:

1. The message produced just enough urgency to prompt action without appearing excessive
2. Hunt was fatigued from travel and the effects of jet lag
3. His password manager did not auto-fill credentials on the fraudulent site, a meaningful indicator that he did not register at the time
4. The attack was highly automated and designed to export the mailing list before the victim could intervene, exfiltrating approximately 16,000 subscriber records in under two minutes
5. The fraudulent site relayed his one-time passcode to Mailchimp through an adversary-in-the-middle technique, completing authentication on his behalf before he recognized what had occurred

The Hunt incident illustrates the limits of individual awareness. What determines outcomes is whether training keeps pace with the specific techniques currently reaching employees' inboxes, and whether security teams have the visibility to detect campaigns before they succeed.

How to Build a Phishing-Resistant Team in the AI Era: What Effective Training Requires

Generic phishing simulation programs draw from template libraries built around historical attack patterns: obvious urgency language, suspicious attachments, and generic sender addresses. The phishing campaigns reaching inboxes in 2026 are AI-generated, contextually personalized, and structurally indistinguishable from legitimate correspondence. Training employees to identify the former does not prepare them to identify the latter.

Why AI Phishing Threats Require AI-Powered Phishing Simulation Training

Adaptive Security uses AI to generate phishing simulations that reflect current attack techniques rather than historical ones, incorporating the personalization, linguistic precision, and contextual plausibility that characterize AI-assisted spear phishing campaigns. This includes multi-channel attack simulations that replicate email-to-voice and email-to-SMS sequences, rather than treating phishing as a single-vector email problem.

Simulations are role-specific and calibrated to the workflows and contexts relevant to each employee's function. Finance team members receive BEC and payment redirection scenarios. HR personnel receive payroll redirection simulations. Executive assistants receive whaling-adjacent lures reflecting their organizational context. The objective is detection capability against the specific scenarios each employee is most likely to face.

Phishing Reporting and Triage for Security Teams: Reducing Response Time

The phishing reporting functionality gives employees a direct, low-friction mechanism for flagging suspicious emails. Reducing reporting friction increases reporting rates and the volume of threat intelligence available to the security team. Aggregated reporting data also surfaces patterns that individual reports would not reveal

Adaptive Security's phishing triage capability provides security teams with structured visibility into reported suspicious emails, enabling faster determination of whether a reported message represents an isolated lure, an active campaign targeting multiple employees, or a simulation result.

This reduces the interval between the initial employee report and organizational response, during which additional employees remain exposed to the same campaign.

Request a demo to see how Adaptive Security's platform trains employees to recognize and respond to AI-generated phishing threats in their specific organizational context. Or explore the self-guided tour to understand how phishing simulations, triage, and reporting work in practice.

Frequently Asked Questions About How to Spot a Phishing Email

How Fast Can a Phishing Attack Succeed Once Clicked?

Extremely fast. Modern phishing infrastructure is largely automated, meaning credential theft, account access, and data exfiltration can occur within seconds to minutes of a victim submitting information on a fraudulent page.

AiTM phishing kits relay credentials and one-time passcodes to the target platform without requiring any manual intervention from the attacker. Reporting the incident to the security team immediately after clicking the most effective damage-limiting action available.

Where Should Suspicious Emails Be Forwarded to Report Them to a National Authority?

Reporting destinations vary by country. In the United States, phishing emails can be reported to the FBI's Internet Crime Complaint Center and the FTC. In the United Kingdom, the National Cyber Security Centre accepts reports atreport@phishing.gov.uk. Australians can report to the Australian Cyber Security Centre. The Anti-Phishing Working Group accepts submissions globally. Within an organization, the internal security team should always be notified through a dedicated reporting channel.

What Is the Most Common Sign of a Phishing Email?

The most consistently reliable sign is a sender domain that does not match the legitimate organization it claims to represent. This includes subtle misspellings, number-for-letter substitutions, and hyphenated additions to a legitimate domain name.

Beyond the sender address, especially in the AI-era, the most effective signs are process and motivation-oriented, aside from technical: unexpected requests for sensitive information and instructions that bypass normal verification processes. These are the most frequently observed indicators across phishing campaigns of all sophistication levels.

What Is the Most Common Type of Phishing Email?

The most common type of phishing email can vary widely from year to year, and even from month to month. Cybercriminals and cybersecurity teams follow a cycle of awareness and recognition that renders threats more prevalent, followed by enhanced awareness, and another type takes its place. However, a few email types are consistently among the most commonly used.

Credential harvesting emails impersonating trusted platforms are amongst the most prevalent types. These messages replicate the branding, formatting, and tone of widely used services such as Microsoft 365, Google, DocuSign, and major financial institutions, directing recipients to fraudulent login pages designed to capture usernames and passwords.

Business email compromise, in which attackers impersonate executives or vendors to request financial transactions, represents the most financially damaging category, though credential harvesting accounts for the highest volume of individual phishing attempts.

Why Do Hackers Deliberately Use Bad Spelling?

In some cases, poor spelling is not deliberate but reflects the attacker's limited language proficiency or the output quality of basic automation tools. When intentional, the strategy serves as a filtering mechanism: a recipient who overlooks obvious spelling errors demonstrates a lower level of critical scrutiny, making them a more viable target for the subsequent request. Highly credulous recipients are more valuable to attackers than skeptical ones, so filtering for them early reduces wasted effort on subsequent engagement.

Can Phishing Emails Come from a Trusted Contact, and How to Tell?

Yes. Phishing emails can originate from compromised legitimate accounts, meaning the sender address belongs to a genuine colleague, vendor, or partner whose email account has been taken over by an attacker. In other cases, the sender address is spoofed to appear identical to a trusted contact.

In such a case, indicators are process and behavior-oriented, including:

• Requests that fall outside the contact's normal responsibilities
• Unusual urgency
• Instructions to bypass standard processes
• Financial or credential requests that deviate from the established workflow

Independent verification through a separate communication channel is the appropriate response.

What to Do if a Phishing Link Was Clicked On?

1. Disconnect the affected device from the network immediately without powering it off
2. From a separate clean device, change the password of any account whose credentials may have been entered, prioritizing email and financial accounts
3. Enable multi-factor authentication where it is not already active
4. Notify the IT or security team as quickly as possible, providing the time of the interaction and details of what was accessed or submitted
5. If personal financial information was disclosed, contact the relevant financial institutions and consider placing a credit freeze.

Are Phishing Emails Illegal?

Yes. Phishing is a criminal offense in most jurisdictions. In the United States, phishing attacks can be prosecuted under the Computer Fraud and Abuse Act, wire fraud statutes, and identity theft legislation, carrying significant prison sentences and financial penalties.

Similar legislation exists across the European Union, the United Kingdom, Canada, and Australia. Organizations that fall victim to phishing attacks resulting in data breaches may also face regulatory liability under data protection frameworks, including GDPR, HIPAA, and equivalent national legislation, depending on the nature of the data compromised.

How Do Hackers Know an Email Address to Send Phishing?

Email addresses are obtained through several well-documented channels:

• Data breaches expose email addresses from compromised organizational databases, and these records are aggregated into breach corpora traded on dark-web marketplaces
• Data brokers compile and sell contact information harvested from public records, social media profiles, and commercial databases
• Email addresses are also harvested through web scraping of publicly accessible pages, extracted from leaked corporate directories, and generated through dictionary attacks against known domains.

Monitoring whether a personal or professional email address appears in known breach data is a practical first step in assessing exposure.

What Is the Difference Between Phishing and Spam?

Spam is unsolicited bulk email distributed primarily for commercial purposes, such as advertising or affiliate marketing. It is disruptive but typically not malicious. Phishing is a category of attack that uses deceptive email content to manipulate recipients into disclosing sensitive information, transferring funds, or installing malware.

The distinguishing factor is intent: spam seeks engagement with a commercial offer, while phishing seeks to deceive the recipient into an action that serves the attacker's objectives. Some phishing emails are distributed at the same volume as spam, but the presence of a malicious objective places them in a distinct threat category.

Can AI Detect Phishing Emails?

AI-based detection systems analyze incoming messages for indicators that pattern-matching and rule-based filters miss, including subtle domain anomalies, behavioral signals, contextual inconsistencies, and emerging attack patterns.

The limitation of any detection system is that AI is also being used on the attack side to generate content specifically designed to evade AI-based filters, making continuous model updating a necessary characteristic of effective AI-based phishing detection.

How to Tell if an Email Is a Phishing Attempt if It Has No Spelling Mistakes?

Focus on structural and behavioral signals rather than linguistic ones:

• Verify the sender domain character by character against the legitimate domain of the purported sender
• Hover over any links to confirm the destination matches the claimed sender
• Assess whether the request aligns with the sender's normal responsibilities and whether it follows established organizational processes.

Any request for sensitive information, financial action, or credential submission arriving through email only, without a corresponding independent confirmation, warrants verification through a separate communication channel regardless of how polished the message content appears.

How to Check if an Email Link Is Safe Without Clicking It?

On the desktop, hover the mouse cursor over the link without clicking to reveal the destination URL in the browser's status bar. Read the registered domain carefully, specifically the segment immediately to the left of the top-level domain, and verify it matches the legitimate domain of the purported sender.

For additional verification, copy the URL and submit it to VirusTotal, URLScan.io, or Google Safe Browsing, which assess the destination against security vendor databases without requiring the user to visit it. On mobile, a long press on the link displays a destination preview before any navigation occurs.

Can a Phishing Email Infect a Computer Just by Opening It?

In most cases, simply opening a phishing email in a standard email client does not result in infection. The risk arises from interaction: clicking a malicious link, opening a weaponized attachment, or enabling macros in a downloaded document.

However, a category of vulnerability known as zero-click exploits targets the rendering engine of email clients, meaning that in some cases a malicious message can execute code when the email is previewed or opened, without any further user interaction. Keeping email clients, operating systems, and security software fully patched is the primary defense against this category of attack.